By Zachary Amos, Features Editor at ReHack
Organizations conduct phishing simulations by sending simulated phishing emails to their employees. These simulations aim to gauge the organization’s susceptibility to phishing attacks and teach employees how to identify and counter genuine threats.
Determining Effectivity of Phishing Simulations
Companies must use a multifaceted approach to determine their phishing simulations’ effectiveness. Using qualitative and quantitative metrics can help them see vulnerabilities and retraining opportunities, enhancing the employees’ security knowledge. The following are signs that the simulation was successful.
Behavioral Changes and Quantitative Metrics
Phishing simulations should make employees question suspicious emails and either report or delete them rather than engage. Over time, a drop in click rates on these simulated emails usually shows heightened employee caution.
With phishing simulations, organizations receive tangible data. They can tally the number of employees who opened the email, clicked links or gave away sensitive data. With 95% of all data breaches caused by human error, monitoring these figures across various simulations is essential for keeping the organization’s security protocols up-to-date.
Enhanced Reporting and Increased Awareness
As employees learn about phishing threats, they become more inclined to report actual phishing attempts, strengthening the organization’s cybersecurity. Furthermore, knowing their organization undertakes phishing simulations can heighten employees’ general threat awareness.
When the I.T. or systems administrator finds more inquiries or reports from employees, it’s a sign they’re more vigilant about phishing attempts. Administrators must gather this data, address immediate threats and detect patterns in the false alarms. Do they point to a lack of understanding of what phishing attacks look like? What is it about the suspected emails that triggered the employee’s attention? Administrators can use these points for retraining.
Tailored Training and Testing Incident Response
Organizations can create phishing simulations to target specific departments or roles at greater risk or with more sensitive data access. As artificial intelligence (AI) continues to grow in effectiveness and accessibility, AI-powered phishing simulations are becoming more common. Generative AI is frequently used in simulation and content generation, allowing organizations to tailor phishing tests to their specific needs.
This process enables more personalized training and flexible learning. These simulations also test an organization’s incident response rate. They examine the speed of threat identification, reporting and containment.
Challenges and Drawbacks of Phishing Simulations
As with any enterprise activity, challenges and drawbacks exist with phishing simulation.
- Trust Issues: Mishandled phishing simulations can damage trust between employees and the I.T. team or management. Employees might feel that the organization is setting them up or deceiving them.
- Frequency: Simulations that occur too often can cause “alert fatigue,” making employees neglect genuine threats.
- False Confidence: Fewer clicks on simulated emails don’t guarantee that employees will remain vigilant against more complex real phishing attempts.
- Stagnation: Repetitively using the same phishing email type might lead employees to recognize the simulation’s pattern, not the general phishing email traits.
For optimal phishing simulation outcomes, administrators must incorporate them into a detailed cybersecurity awareness program and use results to drive training and education, not to reprimand employees. Provide immediate feedback and teaching, guiding on missed aspects and future threat recognition.
Real-World Cases of Phishing Simulations
These instances emphasize the advantages of phishing simulations. Nevertheless, as some cases will show, organizations must balance effective testing — with professional, cutting-edge tools — with maintaining employee trust and morale.
West Midland Trains (U.K.)
In 2019, WMT created a stir by sending its staff a simulated phishing email that promised a work bonus, testing their vulnerability to phishing. The company received plenty of backlash, illustrating the need for sensitive simulations.
GoDaddy
In 2020, GoDaddy faced criticism for a simulated phishing email about a holiday bonus. Though the method was debated, it highlighted the importance of transparency.
State Agencies and Government Bodies
Many U.S. state agencies use phishing simulations. For instance, after an initial high vulnerability rate, the State of Colorado’s Office of Information Technology introduced an in-depth training program that included simulations, leading to a considerable drop in vulnerability.
Health Care Institutions
Given the confidential nature of their data, many health care institutions have employed phishing simulations. For example, after a real phishing event, the Children’s Hospital of Philadelphia boosted its phishing simulation activities, resulting in better staff alertness and faster suspicious email reporting.
Devastating Phishing Attacks in History
Phishing attacks have threatened organizations significantly for years and some major incidents have caused severe data breaches and financial losses. Here are several high-profile phishing incidents that impacted companies:
- Target (2013): A massive breach hit the retail giant, stealing credit and debit card information from 40 million customers. Attackers initially accessed the company through a phishing email sent to a Target contractor.
- Ubiquiti Networks (2015): An attacker impersonated a company executive in a CEO fraud scam or spear phishing and tricked an employee into wiring $46.7 million to the attacker’s accounts.
- Anthem (2015): Hackers breached Anthem, one of the largest health insurance companies in the U.S. and stole the personal data of nearly 78.8 million customers. People believe a phishing email was the initial entry point for the breach.
- Snapchat (2016): A scammer, posing as the CEO, tricked an employee into sending over payroll information, compromising hundreds of employees’ data.
- Google and Facebook (2017): Both tech giants lost over $100 million collectively when a Lithuanian man, posing as a vendor, tricked them with deceptive email practices and fraudulent invoices.
- MacEwan University (2017): A spear-phishing email impersonating a vendor tricked the Canadian university, leading them to change banking information and lose CAD 11.8 million.
Finding Better Phishing Strategies
Phishing simulations serve as a proactive tool for organizations to assess and enhance their defenses against threats. When executed thoughtfully, these simulations can foster a culture of vigilance, empower employees with the knowledge to act wisely and significantly reduce vulnerabilities.
Ultimately, as cyber threats continue to advance in complexity, the need for clever and sensitively conducted simulations will only grow, so organizations must invest more time and resources into creating simulations that satisfy both.
As the Features Editor at ReHack, Zac Amos writes about cybersecurity, artificial intelligence, and other tech topics. He is a frequent contributor to Brilliance Security Magazine.
.
.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.